cancel
Showing results for 
Search instead for 
Did you mean: 

ITS security issue when download, execute program warning

Emre_tr
Active Participant
0 Kudos
514

Hi,

We have a problem when use download to excel functionality in ALV screen via ITS webgui screen. After downloading a warning popup appears and says not allowed to execute and to configure WEBCONFIG.CFG

I have searched in scn and sap note found limited information to solve. Try something but no success to solve. Also i have found sap note 1555523 but it's not clear to solve and solution in client side is not a best solution i think.

Our sap version 740  Sp-level 0004

Can any one able to help?

Best regards

Accepted Solutions (1)

Accepted Solutions (1)

Emre_tr
Active Participant
0 Kudos

Hi Oisin,

I have traced error and result is below. But i have no success to access WEBGUI.CFG file it's not working, ITS is not check this file. I am not sure about path is correct.

C:\Users\emre\AppData\WEBGUI_CFG_DIR\WEBGUI.CFG

Error Log;

security: Missing Application-Library-Allowable-Codebase manifest attribute for: http://aaaaaa.com:8000/sap/public/icmandir/its/lsgui/applets/ws.jar

security: Validate the certificate chain using CertPath API

security: Grant socket perm for http://aaa.com:8000/sap/public/icmandir/its/lsgui/applets/ws.jar : java.security.Permissions@111b47a (

("java.net.SocketPermission" "aaa.com" "connect,accept,resolve")

)

security: Missing Application-Library-Allowable-Codebase manifest attribute for: http://aaa.com:8000/sap/public/icmandir/its/lsgui/applets/ws.jar

security: Validate the certificate chain using CertPath API

basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms

security: Missing Application-Library-Allowable-Codebase manifest attribute for: http://aaa.com:8000/sap/public/icmandir/its/lsgui/applets/ws.jar

security: Validate the certificate chain using CertPath API

ruleset: Non-jnlp rule id:

        title: SAPGUI For HTML Applet

        location: http://aaa.com:8000/sap(cz1TSUQlM2FBTk9OJTNhdGl0YW55dW1fQ1JEXzAwJTNhN3VFdWJkMUtJd29YME9kejJwMXFvNEdq...?

        jar location: http://aaa.com:8000/sap/public/icmandir/its/lsgui/applets/

        jar version: null

        isArtifact: true

ruleset: finding Deployment Rule Set for

        title: SAPGUI For HTML Applet

        location: http://aaa.com:8000/sap(cz1TSUQlM2FBTk9OJTNhdGl0YW55dW1fQ1JEXzAwJTNhN3VFdWJkMUtJd29YME9kejJwMXFvNEdq...?

        jar location: http://aaa.com:8000/sap/public/icmandir/its/lsgui/applets/

        jar version: null

        isArtifact: true

ruleset: RuleId compare: (http, evypid01.evyap.com.tr, -1, ) to url: http://aaa.com:8000/sap(cz1TSUQlM2FBTk9OJTNhdGl0YW55dW1fQ1JEXzAwJTNhN3VFdWJkMUtJd29YME9kejJwMXFvNEdq...?

ruleset: RuleId compare: (http, plutonyum.carrefoursa.com, -1, ) to url: http://aaa.com:8000/sap(cz1TSUQlM2FBTk9OJTNhdGl0YW55dW1fQ1JEXzAwJTNhN3VFdWJkMUtJd29YME9kejJwMXFvNEdq...?

ruleset: no rule applies, returning Default Rule

security: SSV validation:

    running: 1.7.0_71

    requested: 1.6.0.31

    range: null

    javaVersionParam: null

    Rule Set version: null

network: Created version ID: 1.7.0.71

network: Created version ID: 1.6.0.31

preloader: Delivering: AppletInitEvent[type=CallConstructor]

preloader: Enqueue: com.sun.javaws.progress.PreloaderDelegate$4@93f0c6

preloader: Start progressCheck thread

basic: Applet loaded.

basic: Applet resized and added to parent container

preloader: Delivering: AppletInitEvent[type=CallInit]

preloader: Enqueue: com.sun.javaws.progress.PreloaderDelegate$4@893f08

ui: missing resource: java.util.MissingResourceException: Can't find resource for bundle com.sun.deploy.resources.Deployment, key PERF: AppletExecutionRunnable - applet.init() BEGIN ; jvmLaunch dt 409950 us, pluginInit dt 17653813 us, TotalTime: 18063763 us

basic: PERF: AppletExecutionRunnable - applet.init() BEGIN ; jvmLaunch dt 409950 us, pluginInit dt 17653813 us, TotalTime: 18063763 us

basic: Applet initialized

basic: Starting applet

basic: completed perf rollup

preloader: Delivering: AppletInitEvent[type=CallStart]

preloader: Enqueue: com.sun.javaws.progress.PreloaderDelegate$4@10f305b

ui: Pushing modality for applet ID 4 with dialog com.sap.webgui.ws.InfoDialog[dialog0,200,200,498x190,invalid,layout=java.awt.BorderLayout,APPLICATION_MODAL,title=Güvenlik uyarısı]

basic: Applet made visible

basic: Applet started

basic: Told clients applet is started

preloader: Stop progressCheck thread queue.size()=0

former_member194364
Active Contributor
0 Kudos

Hello Emre,

I do not see any issue with the path

C:\Users\emre\AppData\WEBGUI_CFG_DIR\WEBGUI.CFG

could you pleasereview the note

1920875 - ITS Up/Down: different problems in java plugin because of

new security restrictions.

See also note

2137739 - ITS Up/Down: use of TLS 1.2 with java 8 patch 25 and above

Regards,

Oisin

cris_hansen
Advisor
Advisor
0 Kudos

Hello Emre,

Please open a command line interface (command prompt) and execute:

set | findstr APPDATA

You need to create the WEBGUI_CFG_DIR inside %APPDATA% directory, as mentioned in SAP note 1555523:

"...

All white lists or black lists have to be included into a configuration file named "WEBGUI.CFG", which lays in the configuration directory:

    • windows: "APPDATA" environment variable + pathseperator + "WEBGUI_CFG_DIR"

..."

In my case, %APPDATA% is: C:\Users\<my user ID>\AppData\Roaming

For testing purposes, I wrote insice WEBGUI.CFG:

trace=3

then the java console brought me the following information:

"...

content of config file:

trace=3

ChangeConfigFile: false

...

ConfigDir: C:\Users\<my user ID>\AppData\Roaming\WEBGUI_CFG_DIR\

KeysFile: C:\Users\<my user ID>\AppData\Roaming\WEBGUI_CFG_DIR\AUTHORIZED_KEYS

ExeCookieFile: C:\Users\<my user ID>\execookie.txt

FileDialogFile: C:\Users\<my user ID>\AppData\Roaming\WEBGUI_CFG_DIR\WS_Util.CFG

WebguiConfigFile: C:\Users\<my user ID>\AppData\Roaming\WEBGUI_CFG_DIR\WEBGUI.CFG

SapWorkDir: C:\Users\<my user ID>\SapWorkDir\

TempDir: C:\Users\<my user ID>\AppData\Local\Temp\

..."

Let me know whether the directory is the correct one.

Thanks and kind regards,

Cris

Emre_tr
Active Participant
0 Kudos

Hello Cristiano,

Thanks for valuable response. I have put my config file to the relevant directory but no success, system don't check this file.

I tried for test pursose we solved this problem after some kernel update and implement notes.

C:\Users\<my user ID>\AppData\Roaming\WEBGUI_CFG_DIR\WEBGUI.CFG

Best regards,

Emre

Emre_tr
Active Participant
0 Kudos

Hi Oisin,

We have solved this problem with  kernel update and implement some notes.

Thank you.

former_member194364
Active Contributor
0 Kudos

Hello Emre,

Can you tell us more about the notes and the Kernel upgrade that you applied?

Regards,

Oisin

Emre_tr
Active Participant
0 Kudos

Hi Oisin,

Basis team updated Kernel to 742  no:114 , but a click error happened and we implement this note 2163839, then we faced another error about ITS download functionality.

We implemented another note 2006931 it didn't solve.

Finaly SAP advise to us update kernel again to upper version. After updated kernel patch no to 210,  it works.

Current state is ;

SAP kernel: 742

Patch no : 210

Add note links Message was edited by: Oisin ONidh

Answers (1)

Answers (1)

Emre_tr
Active Participant
0 Kudos

Is there anybody has an idea or faced same problem?

former_member194364
Active Contributor
0 Kudos

Hi Emre,

What's your Kernel version and patch level?

Have you changed the WEBGUI.cfg as per note 1555523

to allow the execution of the EXCEL program?

Can you outline what line you added to this file?


Example for allowing extensions of EXCEL:

FILE_EXECUTE_EXTENSIONS_ALLOWED=xls,xlsm,xlsx

Regards,

Oisin

Emre_tr
Active Participant
0 Kudos

Hi Oisin,

SAP version 740,  Sp-level 0004

I have created this file and put the path that note mention. But nothing happened. Actually don't understand note says. I have put the file below path but not sure it's right.

Path : C:\Users\XXX\Appdata\WEBGUI_CFG_DIR\WENGUI.CFG

File content is like this;

FILE_DOWNLOAD_ALLOWED=C:\TEMP

FILE_EXECUTE_EXTENSIONS_ALLOWED=cfg;hwl;xls;xlsx;txt

SAVE_LOCATION=C:\TEMP

former_member194364
Active Contributor
0 Kudos

Hi Emre,

Your WEBGUI.CFG file looks correct. (except it's name in your last post? You have WENGUI.CFG?)

Do you still get the same message now?

Will need the Kernel version

The Kernel is where the ITS Applet is located. This is how the Upload/Download via the

WEBGUI is done.

Regards,

Oisin

Emre_tr
Active Participant
0 Kudos

Oisin,

File name is correct that's my writing mistake sorry.

SAP kernel is  741 .

It should be in client PC i  think. Do you ask java version? Java version is latest update.

former_member194364
Active Contributor
0 Kudos

Hi Emre,

the exact JVM would be useful as well as the exact 741 Kernel version that you are using.

see also the notes and KBA's

1733649 ITS Up/Down: tracing improved

2078323 How to get Java control trace for upload or download problem on SAP GUI for HTM

2082325 Complementary information on creating JVM trace for ITS

re detailed tracing of the its APPLET using the JVM.

Regards,

Oisin